Lenel S2 OnGuard Integration Guide
Documentation Version: 1.1
Publish Date = February 19, 2024
Copyright © 2024 RealNetworks, Inc. All rights reserved.
SAFR® is a trademark of RealNetworks, Inc. Patents pending.
This software and related documentation are provided under a license agreement containing restrictions
on use and disclosure and are protected by intellectual property laws. Except as expressly permitted in
your license agreement or allowed by law, you may not use, copy, reproduce, translate, broadcast,
modify, license, transmit, distribute, exhibit, perform, publish, or display any part, in any form, or by any
means. Reverse engineering, disassembly, or decompilation of this software, unless required by law for
interoperability, is prohibited.
The information contained herein is subject to change without notice and is not warranted to be error-
free. If you find any errors, please report them to us in writing.
�Table of Contents
1 SAFR – Lenel S2 OnGuard Integration Guide .........................................................................................1
1.1 Introduction..................................................................................................................................1
1.2 Integration Overview and Requirements .....................................................................................1
1.2.1 Attribute mapping between OnGuard and SAFR .....................................................................2
1.3 Licensing .......................................................................................................................................3
1.3.1 OnGuard Licensing ...................................................................................................................3
1.3.2 SAFR Licensing ..........................................................................................................................3
1.4 Lenel S2 OnGuard Configuration ..................................................................................................3
1.4.1 Ports .........................................................................................................................................3
1.4.2 OnGuard configuration for SAFR to access Cardholder information .......................................3
1.4.3 OnGuard Configuration for Sending Events .............................................................................4
1.4.4 Set Deactivate Badge Status ....................................................................................................4
1.5 SAFR Configuration .......................................................................................................................4
1.5.1 Set up External Identification Synchronization ........................................................................4
1.6 Wiring ...........................................................................................................................................5
2 SAFR - OnGuard Operation Guide ..........................................................................................................7
2.1 Synchronizing Cardholders ...........................................................................................................7
3 Trouble hooting External Identity Synchronization ...............................................................................7
3.1 If the connection between the SAFR and OnGuard cannot be established. ................................7
3.2 Changes in OnGuard is not showing up in SAFR or SAFR SCAN. ...................................................7
ii
�1 SAFR – LENEL S2 ONGUARD INTEGRATION GUIDE
1.1 INTRODUCTION
Deploying and configuring SAFR and Lenel S2 OnGuard for Cardholder synchronization will allow SAFR to
import cardholder data and access credential from Lenel OnGuard to be used on SAFR SCAN face
authentication readers. SAFR Identity synchronization is a one way synch from OnGuard to SAFR. SAFR
SCAN uses the imported face image, converted into a biometric signature, to verify a person identity
when presented at a SAFR SCAN reader. When a person’s identity has been verified, the SAFR SCAN
reader transmits the imported Access Credentials to the access control panel via Wiegand or OSDP.
Please note that SAFR will not import a person record if it does not have a card access credential.
Likewise, if the access credential is removed from the person record, SAFR will delete the person record
in SAFR. SAFR only supports one card access credential per person record. If multiple credentials exist,
the most recently updated credential is imported.
For complete SAFR and SAFR SCAN documentation please visit http://docs.real.com.
1.2 INTEGRATION OVERVIEW AND REQUIREMENTS
Integration between SAFR – Lenel S2 OnGuard is available on SAFR Platform running Windows.
Please note that this Guide does not include the Installation of the SAFR Server (SAFR Platform) or the
Lenel S2 OnGuard system. This guide specifically describes:
1. Configuration of OnGuard to allow SAFR Platform server to import Cardholders, Access Credentials,
and Cardholder’s photo from OnGuard.
2. Configure the External Identification Synchronization in SAFR Platform server to access OnGuard.
3. SAFR and OnGuard use port 8080 for secure SSL communication and need to be open inbound on
the Server hosting OnGuard.
A typical integration architecture:
1
�1.2.1 Attribute mapping between OnGuard and SAFR
The following is the current imported and supported attributes/field from OnGuard
OnGuard SAFR (People data record) Notes
First Name First Name
Last Name Last Name
Badge Type Person Type
A hidden field (LNL_Person.ID)
External ID
Card holder Picture Picture ? If no picture in person record,
import only name and
credentials for use with card
only access.
Activate Date (LNL_Badge.ACTIVATE) Access Activation Records are not added until
Active Date is reached.
Deactivate Date Access Expiration SAFR Expiration set to same if
(badge_status_name eq 'Active') ? before Deactivate Date. If after
LNL_Badge.DEACTIVATE : -1
Deactivate date, record not
added.
n/a Access Card Facility ID Facility ID is the Facility ID
entered in the SAFR
configuration of External
Synchronization.
Badge ID Access Card ID If Cardholder has multiple
(LNL_Badge.ID)
credentials, the most recently
added or modified will be
imported.
Card Format Access Card Format Card Format is set on the reader
in both Lenel and SAFR
independently. At least one of
2
� the card formats in Lenel
OnGuard must match the card
format set in on the SAFR SCAN
device. Card format is not set
on each person record when
using Lenel OnGuard
integration.
n/a Access Information Origin Safr sets to “Lenel”
n/a Last Origin Synch Date Last time the record was
updated in SAFR.
1.3 LICENSING
1.3.1 OnGuard Licensing
The following two licenses are required from Lenel to enable SAFR to integrate with OnGuard and
provide external cardholder synchronization. (this will be eddied to add commercial licenses in addition
to the evaluation licenses listed)
1. OAAP Evaluation Mar 2023- Lenel-OnGuard-SubscriptionSoftware.lic
2. OAAP Evaluation Mar 2023- Lenel-OnGuard-OpenAccess-RELEASE-v8_1.lic
1.3.2 SAFR Licensing
No additional license is required from SAFR for this integration.
1.4 LENEL S2 ONGUARD CONFIGURATION
1.4.1 Ports
SAFR and OnGuard use port 8080 for secure SSL communication and need to be open inbound on the
Server hosting OnGuard.
1.4.2 OnGuard configuration for SAFR to access Cardholder information
A SAFR user must be defined in OnGuard’s “Users” tab with sufficient permissions to allow SAFR to
connect and retrieve Cardholder data.
A user defined and configured in OnGuard with the following minimum Permission Groups rights.
i. System: System Power User
ii. Cardholder: Cardholder Admin
iii. Monitor: Monitor User
iv. Report: n/a
3
� v. Field/page: View/Edit All Fields
1.4.3 OnGuard Configuration for Sending Events
In OnGuard System Administration Application, ensure “Generate software events” is checked under the
configuration of the OpenAccess host.
1.4.4 Set Deactivate Badge Status
A badge status should be assigned to badges after the deactivate date.
1. Under Administration->Cardholder Options in System Administration Application: ensure that
expired badges get a non-active setting such as "Lost" or "Returned".
1.5 SAFR CONFIGURATION
1.5.1 Set up External Identification Synchronization
To set up identity synchronization between SAFR and Symmetry, do the following:
2. Open SAFR.
3. Click on the Tools menu in the upper left corner of the client and select the System
Configuration tool from the drop-down menu.
Check the Set up External Identity synchronization box. The following dialogue will appear:
4
� 4. Enter information for the following fields:
o User directory name: The name of your SAFR user directory (default “main”)
o External identity host: Select “Lenel” from the drop-down menu.
o Host Address: The IP address or hostname of the target OnGuard server
o Host Port: The port number that the target OnGuard server is listening on. Default 8080
for secure connection (ssl).
o Host Directory: select the applicable Host Directory from the list of available directories
in the drop down menu. To select the default <internal> leave the input field blank.
Otherwise select a Lenel directory as listed and defined in OnGuard Active Directory
sources.
o Facility Code: Enter the Facility Code associated with the OnGuard server.
o Host User Id: A user defined and configured in OnGuard with the minimum Permission
defined above.
o Host Password: Password associated with User Id.
5. Click the Apply button.
1.6 WIRING
SAFR SCAN must be connected to the panel as described below.
5
�6
�2 SAFR - ONGUARD OPERATION GUIDE
2.1 SYNCHRONIZING CARDHOLDERS
External Identity synchronization is automatic. Person records and their credentials are copied from
OnGuard to SAFR Server and from there pushed to all readers. Synchronization occurs continuously in
the background. Please note that an initial synch of 50K cardholders can take between 2-3hours.
Incremental synchs thereafter of adds/deletes/edits will be updated in the order of 3-10 seconds.
SAFR will synchronize people and credentials as follows:
• At initial connection time, all records pre-existing in OnGuard are copied to SAFR.
• From then on, records added to OnGuard are copied to SAFR.
• Records modified or added in SAFR are NOT copied to OnGuard.
• Changes to records in OnGuard are updated in SAFR.
• If record is changed in SAFR, a warning is displayed in SAFR that the change may be over written
when the record is changed in OnGuard.
o To dissociate the record from OnGuard completely the “Access Information Origin”
need to be cleared.
• Only records with access credentials copied to SAFR.
• Removing credentials in OnGuard will result in the record being removed from SAFR.
• Setting record to inactive in OnGuard removes the record from SAFR.
3 TROUBLE HOOTING EXTERNAL IDENTITY SYNCHRONIZATION
3.1 IF THE CONNECTION BETWEEN THE SAFR AND ONGUARD CANNOT BE ESTABLISHED.
o Make sure that the user that is configured in SAFR is defined in with the correct
privileges in OnGuard. A quick way to confirm is to temporarily use a User with full
Admin rights.
o Make sure port 8080 is open on the OnGuard Server.
3.2 CHANGES IN ONGUARD IS NOT SHOWING UP IN SAFR OR SAFR SCAN.
If a new or changes to an existing cardholder in OnGuard is not updated in SAFR or SAFR SCAN readers.
SAFR Platform server continuously synchronizes with OnGuard for changes, each SAFR SCAN device also
continuously synchronizes with the SAFR Platform.
o If the SAFR Platform is not updated, check the connection between SAFR and OnGuard.
See SAFR -> Tools -> System Configuration – “Set up External Identity Synchronization.”
i. Indicators of potential issues: Last Synch Error and Synch Connection Status.
o If the SAFR SCAN reader is not recognizing a new or changes to a cardholder.
i. Is the SAFR SCAN reader connected to the SAFR Platform? Check Tools -> Feeds
and verify the SCAN device status is ok and without errors.
Questions or comments about the documentation? Email us at safr-doc-feedback@realnetworks.com.
